Everybody should install and use a password manager. Without a password manager, you'll find yourself using simple-minded passwords like Password1, or memorizing one strong password and using it over and over. Password manager prices range from nothing at all to $40 or more. At $12 per year, LastPass 4.0 Premium is on the low side for a commercial password manager price-wise, but on the high side feature-wise. The current version's online console has gotten a welcome facelift, along with a number of useful new features.
Compare Similar ProductsCompare
Sticky Password Premium%displayPrice%
RoboForm Everywhere 7%displayPrice%
Keeper Password Manager & Digital Vault 8%displayPrice%
LogMeOnce Password Management Suite Ultimate%displayPrice%
Password Boss Premium%displayPrice%
Password Genie 5.2%displayPrice%
True Key by Intel Security%displayPrice%
LogMeOnce Password Management Suite Premium%displayPrice%
Don't get me wrong; the free LastPass 4.0 is amazingly full-featured, more so than some of its commercial competition. It's just that the dollar-a-month premium edition gives you even more.
If you haven't already, please read my review of LastPass's free edition. I'll summarize the shared features here, then dig deep into Premium-only features.
A strong master password is a must, since this password protects all of your other secrets, but you may want to think twice before defining a password hint. In June of 2015, hackers stole some data from LastPass's servers. They couldn't decrypt any passwords or master passwords—even LastPass's employees can't decrypt your data! But some master password hints may have been exposed. Even though no actual sensitive data was compromised, LastPass took the initiative and notified all users to update the master password.
As expected, LastPass captures your username and password when you log in to secure sites and replays those credentials when you revisit a site. It also captures login data when you sign up for a new account. Password Genie 5.2 and LogMeOnce Password Management Suite Ultimate are among the small group of competitors that capture passwords at signup.
When you need to create a new password, LastPass offers to generate a strong one for you automatically. By default, the password generator creates 12-character passwords that use digits, capital letters, and small letters. I'd be happier if it defaulted to 16 characters and included punctuation, as True Key by Intel Security does.
You can click the browser toolbar button to pick from a menu of saved sites; choosing a site both navigates there and logs you in. For more complete management of your saved data, you open the online vault. New in this edition, you can choose a tile-based display similar to what Dashlane 4 uses. You can now choose multiple items and categorize, share, or delete them. And a multi-purpose Add button lets you add a new folder, secure note, or website.
A panel at the right-hand side of a free account's vault displays ads. They're pretty innocuous; all I ever saw were ads for LastPass itself and partners like Yubico. The paid edition has no ads, freeing up more space for display of your saved logins.
LastPass fills Web forms using personal data profiles that you define. You can create any number of full profiles and of profiles containing just a credit card. Although it's not quite as flexible as RoboForm Everywhere 7, it gets the job done, and it proved quite accurate in testing.
One main purpose of using a password manager is to eliminate weak and duplicate passwords. LastPass's security challenge sifts through your saved passwords and calls out weak ones and duplicates, as well as passwords that haven't been changed in ages, and passwords associated with compromised websites. For about 80 well-known websites, LastPass can automatically update your account with a new, strong password. For others, you can click a link in the report to make the change manually. Dashlane offers a similar auto-change feature that supports about 500 websites.
LastPass's new Emergency Access feature lets you define one or more people who inherit your passwords in the event of your demise. Like Dashlane, LastPass lets you assign a waiting period for each recipient. If you haven't actually given up the ghost, you can cancel an attempt to access your data any time during the waiting period. Dashlane goes a step further, allowing you to share just a subset of your passwords with an emergency contact. You can configure LogMeOnce Password Management Suite Ultimate to pass along all of your data to a single heir, or pass along up to five individual paswords.
Promiscuous password sharing is pernicious! Don't just randomly let a friend log in to your account, no matter how unimportant the site.
When you do need to share access to an account, do it securely via LastPass. Sharing is easy—just select the item, enter the recipient's email address, and choose whether to let them see the password or merely use it without seeing it. Recipients who already use LastPass see a notification within the program; those who aren't using LastPass can click a link in the sharing email to install a free copy of the program.
That level of sharing is available for free. If you're a premium user, you can also create a shared folder, perhaps for sharing passwords your whole family needs to use. For each of up to five group members you can choose whether or not to show the passwords, and whether or not to make the folder read-only. If you don't choose read-only, that member can add, remove, and change passwords in the shared folder.
LastPass for Applications
Most websites use a standard kind of form for password entry, so it's easy for LastPass to capture those. Even if the site's login page is wonky, you can enter your data and tell LastPass to simply capture all fields.
Managing passwords for applications is quite another story, and not many products attempt it. RoboForm is one of the few that do, and Sticky Password Premium is particularly effective.
LastPass for Applications is available to all premium users as a separate download. Install it, log into your account, and you're ready to go.
Capture and replay of application passwords is a multi-step operation, decidedly more complex than for websites. To start, you bring up the application's login form. Next you right-click LastPass's notification area icon and choose Add Application. As with Sticky Password, you identify the form in question by clicking on it with a crosshairs cursor. Next you enable training mode, fill in the username and password, and terminate training mode. You've just saved an application password!
In theory, you should now be able to select the saved application from the program's right-click menu to launch it and log in automatically. In testing, though, I found that LastPass launched the program but didn't log in. I had to configure the program to fill credentials using a hotkey. Pressing the hotkey enabled another crosshairs cursor; clicking the login form with that cursor correctly filled in the saved credentials. My LastPass contact confirmed that this step is needed for some, but not all, secure applications.
Enhanced Multifactor Authentication
It's extremely important that you use a strong yet memorable master password, since this password protects all of your other login credentials. By the same token, a malefactor who gains access to your master password now owns all of your accounts. That is, unless you enable multifactor authentication.
LastPass's free edition allows multifactor authentication using Google Authenticator, Twilio Authy, Duo Mobile, and a couple of other free smartphone-based authentication apps. With multifactor enabled, only someone who knows your master password and possesses your smartphone can log in. There's also a super low-tech multifactor option that involves a printed wallet-sized numeric grid.
The premium edition takes multifactor authentication to the next level, with several new choices. If your Mac or Windows PC has a fingerprint reader, built-in or external, you can require fingerprint authentication. Fingerprint authentication also works on mobile devices that support it.
You can also enable authentication using a YubiKey, a tiny $25 USB device that you carry in your pocket. I've had one on my keychain for almost seven years now; it's a tough little thing! Once you associate a particular Yubikey with your LastPass account, login requires both the master password and the device. Enter your password, insert the YubiKey into a USB port, and touch its button to generate a one-time password.
Don't want to spend money on a YubiKey? That's OK. You can get a similar effect by downloading the Windows, Linux, or Mac version of LastPass's premier-only Sesame app to any USB drive. Once you've activated the installation and associated it with your account, it generated one-time passwords on demand.
Syncing All Devices
LastPass on a mobile device has a feature set almost identical to the desktop edition. You can't plug in a YubiKey or other USB device, naturally, but you can log in to websites, fill forms, manage your saved logins, share items, and just about anything you could do on the desktop.
There are a few minor differences. LastPass can fill login credentials in Safari on iOS devices by way of the share icon, the same one that lets you share a page via text or email. However, form filling in iOS only works in LastPass's own internal browser. If your iOS device supports Touch ID, you can choose to use it for authentication.
Likewise, on an Android device LastPass can automate login in Chrome, but form-filling requires use of the internal browser. However, under Android, LastPass can manage passwords for apps as well as websites, with a Fill Helper icon in the notification bar.
While you can log in to your LastPass vault from any browser, full access to all of the program's capabilities typically requires installation of the LastPass browser extension. That can be a problem if you're connecting from a computer where you don't have permission (or inclination) to install extensions.
To get around this problem, Premium users can download LastPass IE Anywhere and save it to a thumb drive. When launched, it provides full access to the program's features without relying on a browser extension. This also lets you use LastPass on off-brand browsers for which no extension exists.
It's probably not the best idea to log in to your password stash from a public computer. But if you must, you'll be happy to know that IE Anywhere leaves no traces in the file system or Registry.
LastPass 4.0 Premium syncs your passwords across any number of devices, device types, and operating systems. In addition to the impressive feature set found in LastPass's free edition, going premium gets you enhanced multifactor authentication, a better way to share passwords, the ability to manage passwords for applications, and more. It's everything you need in a password manager.
Despite LastPass's user interface upgrade, Dashlane still offers a slicker experience, but LastPass goes farther in terms of features. These two, along with Sticky Password Premium, are our top picks for commercial password management.